The information in this document is based on these software and
hardware versions:

Cisco 2500 Series Routers

Cisco IOS® Software Release 12.2 (10b)

The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.

Are you using NAT during a network
transition (for example, you changed a server's IP address and until you
can update all the clients you want the non-updated clients to be able to
access the server using the original IP address as well as allow the updated
clients to access the server using the new address)?

The first step to deploy NAT is to define NAT inside and outside
interfaces. You may find it easiest to define your internal network as inside,
and the external network as outside. However, the terms internal and external
are subject to arbitration as well. This figure shows an example of this.

You may want to allow internal users to access the internet, but you
may not have enough valid addresses to accommodate everyone. If all
communication with devices in the internet originate from the internal devices,
you need a single valid address or a pool of valid addresses.

This figure shows a simple network diagram with the router interfaces
defined as inside and outside:

In this example, you want NAT to allow certain devices (the first 31
from each subnet) on the inside to originate communication with devices on the
outside by translating their invalid address to a valid address or pool of
addresses. The pool has been defined as the range of addresses 172.16.10.1
through 172.16.10.63.

Now you are ready to configure NAT. In order to accomplish what is
defined above, use dynamic NAT. With dynamic NAT, the translation table in the
router is initially empty and gets populated once traffic that needs to be
translated passes through the router. As opposed to static NAT, where a
translation is statically configured and is placed in the translation table
without the need for any traffic.

In this example, you can configure NAT to translate each of the inside
devices to a unique valid address, or to translate each of the inside devices
to the same valid address. This second method is known as overloading. An
example of how to configure each method is given here.

Note: Cisco highly recommends that you do not configure access lists
referenced by NAT commands with permit any. Using
permit any can result in NAT consuming too many
router resources which can cause network problems.

Notice in the previous configuration that only the first 32 addresses
from subnet 10.10.10.0 and the first 32 addresses from subnet 10.10.20.0 are
permitted by access-list 7. Therefore, only these
source addresses are translated. There may be other devices with other
addresses on the inside network, but these are not translated.

Note in the previous second configuration, the NAT pool "ovrld"only has
a range of one address. The keyword overload used in the
ip nat inside source list 7 pool ovrld overload
command allows NAT to translate multiple inside devices to the single address
in the pool.

Another variation of this command is ip nat inside source
list 7 interface serial 0 overload, which configures NAT to
overload on the address that is assigned to the serial 0 interface.

When overloading is configured, the router maintains enough information
from higher-level protocols (for example, TCP or UDP port numbers) to translate
the global address back to the correct local address. For definitions of global
and local address, refer to
NAT:
Global and Local Definitions.

You may need internal devices to exchange information with devices on
the internet, where the communication is initiated from the internet devices,
for example, email. It is typical for devices on the internet to send email to
a mail server that resides on the internal network.

In this example, you first define the NAT inside and outside
interfaces, as shown in the previous network diagram.

Second, you define that you want users on the inside to be able to
originate communication with the outside. Devices on the outside should be able
to originate communication with only the mail server on the inside.

Having a web server on the internal network is another example of when
it may be necessary for devices on the internet to initiate communication with
internal devices. In some cases the internal web server may be configured to
listen for web traffic on a TCP port other than port 80. For example, the
internal web server may be configured to listen to TCP port 8080. In this case,
you can use NAT to redirect traffic destined to TCP port 80 to TCP port 8080.

After you define the interfaces as shown in the previous network
diagram, you may decide that you want NAT to redirect packets from the outside
destined for 172.16.10.8:80 to 172.16.10.8:8080. You can use a
static nat command in order to translate the TCP
port number to achieve this. A sample configuration is shown here.

Note that the configuration description for the static NAT command
indicates any packet received in the inside interface with a source address of
172.16.10.8:8080 is translated to 172.16.10.8:80. This also implies that any
packet received on the outside interface with a destination address of
172.16.10.8:80 has the destination translated to 172.16.10.8:8080.

Deploying NAT is useful when you need to readdress devices on the
network or when you replace one device with another. For instance, if all
devices in the network use a particular server and this server needs to be
replaced with a new one that has a new IP address, the reconfiguration of all
the network devices to use the new server address takes some time. In the
meantime, you can use NAT in order to configure the devices with the old
address to translate their packets to communicate with the new server.

Once you have defined the NAT interfaces as shown above, you may decide
that you want NAT to allow packets from the outside destined for the old server
address (172.16.10.8) to be translated and sent to the new server address. Note
that the new server is on another LAN, and devices on this LAN or any devices
reachable through this LAN (devices on the inside part of the network), should
be configured to use the new server's IP address if possible.

You can use static NAT to accomplish what you need. This is a sample
configuration.

Note that the inside source NAT command in this example also implies
that packets received on the outside interface with a destination address of
172.16.10.8 has the destination address translated to 172.16.50.8.

Overlapping networks result when you assign IP addresses to internal
devices that are already being used by other devices within the internet.
Overlapping networks also result when two companies, both of whom use
RFC 1918 IP
addresses in their networks, merge. These two networks need to communicate,
preferably without having to readdress all their devices. Refer to
Using
NAT in Overlapping Networks for more information on the configuration of
NAT for this purpose.

A static NAT configuration creates a one-to-one mapping and translates
a specific address to another address. This type of configuration creates a
permanent entry in the NAT table as long as the configuration is present and
enables both inside and outside hosts to initiate a connection. This is mostly
useful for hosts that provide application services like mail, web, FTP and so
forth. For example:

Dynamic NAT is useful when fewer addresses are available than the
actual number of hosts to be translated. It creates an entry in the NAT table
when the host initiates a connection and establishes a one-to-one mapping
between the addresses. But, the mapping can vary and it depends upon the
registered address available in the pool at the time of the communication.
Dynamic NAT allows sessions to be initiated only from inside or outside
networks for which it is configured. Dynamic NAT entries are removed from the
translation table if the host does not communicate for a specific period of
time which is configurable. The address is then returned to the pool for use by
another host.

Once you've configured NAT, verify that it is operating as expected.
You can do this in a number of ways: using a network analyzer,
show commands, or debug
commands. For a detailed example of NAT verification, refer to
Verifying
NAT Operation and Basic NAT Troubleshooting.